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Document Metadata Agenda 



■ Why to Query on Document Metadata 

■ How to Find Document Metadata 

■ e.g. File - > Properties 

■ Google 

■ How to Create Queries in XKS 

■ XKEYSCORE Document Metadata and PDF 
Metadata 
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Document Metadata Analysis 







■ What?: Use non-traditional selectors to find 
and track targets sending/receiving 
documents of interest 



■ How? It targets documents by Author, 
Organization, or embedded images (logos) 

■ Why? We don’t always know WHO is 
sending the documents, but they are 
“guilty-by-association” if they send/receive 
the document. So, who are THEY? 



TOPSECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



TOPSECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



Finding Document Metadata 



We find “Document Metadata” in File 




Properties 



X KE YSCORETe rms .^doc P rjq pe cties 



[e rms^.doc Mic rosoft JW ojkd 



[ 



File 



Ij 


Now . . . 




[3 


Open. .. 


Ctrl+O 




Close 






5a ve 


Ctrl-i-5 




Save As... 




1^ 


Save as Web Page.. . 






Remove Hidden Data... 




n 


File dearch. . . 






Versions. .. 




Web Page Preview 




Page Setup. . . 






Print Preview 






Print. . . 


rtrl-pp 




Send 1 o 


► 


Properties 



1_ I I ilpri vflhR^flnrlrRiAi. rinr 

ZU-.\. . .\MKEY5CORE Tipi end Tr iL^i 4 ep. . . 

3 Uiyprivate^Pre sentation.doc 

4 UiyprivateV' .\NIA Cross Trairing.doc 

5 U:\pri ^/ate^NIA^MSP.£^Apnl 2009.doc 

6 C i^Dului iiBi ili ai i J 5eLLii iys\ . . .yiMEI. duL 

7 U;\. . .\MIA'\R I TCHIE_DNI_IWP5Crevised5.doc 

8 Id ; y . . . \ J^K5_kjnloeil:h_tips7 Apri I . doc 

9 Uiy. . . \Zwakenberg, Garrih Trey IPWS.doc 










1 OK 




Cancel 









Exit 
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Document Metadata Analysis 







■ How do you find document metadata? 

■ Passive Collection: Collected Documents already 
contain data 

■ Active Collection: CNE “Categorized Collection” from 
TUNINGFORK Data or Pinwale Queries on “US-3101” 

I 

■ Open Source: Google Hacking 



TOPSECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



> :t> <j: 

J t f _i j 1 r_ « ' ; 

J I k ' L_ • ■ ' ’ i 



I • 



TOPSECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



vi 1 1 J 

i : I.’ 1 

I > ... 



Einding Document Metadata 




ID 


To 


From 


C( 


BC 


Date 


Subject 


Size(hQ 


Type ^ 


48 




"DESTOCkPRO" <des' j(!S^a2^ritji^v 






5/15/2008 6:31 :35 PM 


ARRIVAL E G STAR DO LCE^G ABE AN A DIESEL 


16 


text/html 

text/html 

text/html 


49 

51 




"T yet Cc;T E r 






5/16/2037 9:36:13 PM 


Confirmartion: Target Card 


2 










5/15/200811:14:32 PM 




1 






32 f!'^4-:k^^i I ; .■ vf' -^.-j .a.tii rV .i- ■ 






S1 



I.. 




5/1 5/2008 3:05:25 PM Las Villas de Dubai 



5/15^200011:15:21 PM skriv Ljt 



C.kei ii'i" 



5/15/200811:14:32 PM 



3398 application/octet-stre 



452 applicationAmsword 



50 application/hisword 
452 application/hisworci 
50 application/hisword 




Displai) original Raw SMTP header 



Control C2C T railer 



Collected Doc Search Kwd 





Document Properties 



Category 

Company 

HiddenSlidoCount 

LineCount 

LinksUpToDate 

Manager 

MMClipCount 

NoteCount 

ParagraphCount 

PresentationTarget 

ScaleCrop 

SlideCount 

Author 

CharariM Count 
Comments 
DateCreated 
SecurityLevel 



0 




452 applicationAmsword 










a 





29 



False 



29 



29 



8 



False 




5/^2/2008 3:13:00 AM 
none 
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■ Active Collection: CNE “Categorized Collection” 
from TUNINGFORK Data 



Collection 



No EP user Information found, 
Raw Project Detailsr s31 15 only] 
Mailbox Collection 



Last Collection [limit 3 dates 20D8-08-29 

listed]: 2008-08-27 
2Q08-07-19 
List All 



Collection 



Categorized Collection 





1 1 


1 Ci|)lier (8) ^ 


MicroSon [2771^^ | 


Miiltinie4li:[i { I7>^ IVI^il (35) ^ Inst Msyr (9) ^ VOIP (1642), HTl^ 


|CiphGr 




Cllshow Pat 


Excel (2;) 
Execs (4) 


Filename Extension 

AT AT 


Collected 

AT 


Size 

AT 


Bl SleObd 


Ini files (2} 


21-4a68af648ec5 


2008-07-ig 


388 




Otlier Office i(5) 




Bl bSSOea 


Powerpoiiit (0) 


!ld-3dffb4d38926 


2008-07-ig 


388 




Tluimhs.dh (12) 




« 0C6527 


30-cledl756266f 


2008-03-13 


388 









To find Document Metadata in TUNINGFORK, 
you must view each Document in Categorized 
Collection (manual intensive) 
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■ Using XKEYSCORE to query on CNE data 







■ Open Source: Google Hacking 



> 




Advanced Search Search Tip Help 

site:comsa1s ,net,pk1iletype:doc 



I I 

Google Search 




■ Search by domains 



filetype:xls 



filGlypG:pdf 



■ “sitexomsats.net.pk” 

■ Search by file types 

■ “filetypeipdr or “filetype:doc” 
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Document Metadata Analysis 




How to find Document Metadata when you have 
NEVER collected a document 
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Doeument Metadata Analysis 




Take Client’s (Active User) IP address and query 
on it in XKEYSCORE 





Active User: 



I (gyahoo.com 



ACTn^_TISER AC 


1 — 1 
H 






<yahoo> 39. 




- 








- 



Search: Document Metadata 



E^^tensi□n; 



ppt or doc or pdf orxis 



IP Address: 



89 




Either v 



1 nr" 



1 
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Targeting Document Metadata 



r 



’ 




■ Use XKEYSCORE to Find Who Else is 
sending the files? 

. 

, 
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Document Metadata Analysis 



Take “File Properties” information and fill-in qu 





XKE YSCO^^^ms^do£^g|gge 



General 


Summary 


Statistics 


Contents 


Custom 













Title; 
Subject: 
Author : 
Manager ; 
Company: 

Category : 
Keywords: 
Comments: 



^^Key score Terms 



Hyperlink 

base: 



Template: Normal.dot 

I I Save preview picture 





Doturmerit Type: 
Encrypted?: 
Corrupted?; 
Filenanne; 
Extension: 
^SubjGCt^: 
"^Creation Time^: 

t Modified Time'^ ; 
^UniQUQ^* ^fulltBMt 1: 
Author: 

Last Author: 
Organization; 
Title; 

Language: 

"^CommenC^ r fulltext l: 

File/Embedded Image 
Hash F fulltext l: 

Metadata Marne: 
Metadata Value F fulltext l: 



Joe BaggaDonuts 



ZMFAZerdian MFA 
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Document Metadata Analysis 



Sample Query 



Sample Query: 
Organization = PTCL 
To/From Country = Pakistan 




Language; 

Comment'^ [fuUte^]; 

File/Embedded Image 

Hash [fullte^]; 

Metadata Name; 
Metadata V/alue [fullte^]; 

IP Address; 
IP Address; 
Port; 
Port; 

Country; 







From 


V 






To 


V 






From 


V 






To 


V 






PK 


’V' 


Either 


V 
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Document Metadata Analysis 



Sample Query (Results) 
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Embedded Images 







■ Turn a logo into a selector 

■ 




= SIGINT VALUE 
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Embedded Images 




XKEYSCORE parses out logos from within documents 
(PDFs, DOCs, Outlook Emails, etc) embedded as images 





ojIsj 



Logo/I mage 32-character 
hash can be parsed out and 
queried. 



AJWLJUUly 



-ayo 





4 i ai 



HI ^1 j 



E 

bJI O LbL>ilLoJL o^^jljiJI I 4jJs I!_SlJ3. f" g-jJ I b L 



Uaj^iLoJI 


|QJUJ 1 

aS" jjaijJ. 




MB L2 On Chip Caclhe- per Proc&ssor 2 * 
System Controller Card 1* 
Solaris 10- 03/05 HWl Operatlnq System Preinstall ed^ 


MDS 


Sun Fire V4&0 Server 


■ 'f ■■ .1 
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Embedded Images 



I 




Files often contain embedded images, such as company logos. 




Step 1 : Identify if a document 
HAS an image in it 
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) lot 



/ 









IT 



Datetinne 

2009-03-26 15:54:50 



Case Notation 



From IP 




YM.PCQXXXABDDTC 



J Y 

Session 


Header (3) 


Attachments (6) 


Meta (3) 







Quick Clicks 



"O' Flstrieving Attachment, 





;es5ion 

0 ?^ A tta oh merits 
0 sigint 
: G image_summarv'_mont 

i m a g e_s um m a ry_m i 
' G doc:ument_meta 

c:_documerit£ and s 
0 ? unknown 
^ G ? text 

? document_body .ia-ij 
? document_body >j) 



Step 2: Open 
Document and click 
on “Full Session 



G- 



01^;- 1 image 
jpeg 

^ b3d7853e4bfde70S7l 
■ 0^1 office 
0^1 pdf 

^cAopcjmerits and il 

R liif EBIHBIHMI 

0 Find opposite side of sessi ] 



; ’ :0-> 

: 0 

0 Find More Docs with Sam t 

i j- 635ed0657cfe25b779ai 

b3d7S53e4bfde70S74cf 
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Embedded Images 




Session 


Header (3) 


Attachments (6) 


Meta (3) 




t AUTO 




■V 1 


1 Lb^.: 





•'ic 



.1 ( 




Quick Clicks « 

Session 

3 Jilt Attachments 
3 sigint 

^-Vimage_summary_mont! 

image_5ummary_mi 
3 document_meta 

-ii -documents and s ^ 
3 ? unknown 
El ? text 

? document_body.-^j t 
? document_body,“^) 
image 

b3d7853e4bfde708 
(El ^office 

a'^ipdf 

^|C;\Documents and i 



One-Click Searches 



b3d7S53e4bfde70874cf4D2a3d6cfel0.iDa 





b3d7853e4bfde70874cf402a3d6cfel0 



jDa 








d Find opposite side of sessi 
:0 -> 



step 3: In left-side menu bar, select an 
image and copy/paste the 32-character 
name (without the extension) 
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Step 4: Paste the 32-character name 
into the “File/Embedded Image Hash” 
Field in the Document Metadata query 



i 



0 A-M 

ASF and WMV Metadata 
Alert 

BlackBerry 
CNE 

Call Logs 
Category DMI 
CellUar DMI 
Cisco Passwords 
Document Metadata 

Pinr-i impnrt Tsnninn 



Fields T Advanced Features t shoi^ Hidden Search Fields Clear Search Values Reload Last Search Values 



Search: Document Metadata 



File/Embedded Image 
Hash [ fulltext l: 



b3d7853e^bfde7087^cf^a2a3dede10 



I 




Step 5: Select all of your good 
collection sites + SUBMIT! 



Search 

Databases 



Clear Checks 



0 (>;ks-central.corp.nsa.ic.gov;q5unnnnarv) 

0 Australian sites (^kcentral2,dsd;:^s_web_db) 

0 CARBOY (carboy-proKy ,rl.r.nsa:carboy_web_db) 
0 CARDAMON (^^key-dsd.rl,r,nsa;^^s_web_db) 



Reset Checks 



Submit 



Cancel 



TOPSECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 










> ID 0] 
laji 1 

1^1 

Ci tf)l 



10 1 ic»;i 
0O» 'OOI 
^'1 UX)^ 



TOPSECRET//COMINT//RELTO USA, AUS, CAN, GBR, NZL 



O 10^^ 
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ri 

Iniln 



) lx>t 




Session 



Header (3) Attachments (6) Meta (4) 



L 



J 



AUTO 




Quick Clicks — @ 

E d 0 curn ert_rn eta 

c:_docLnrient3 and 5etting5_u3Lari( 

0 ? unknown 
: 0 ? te^t 

? docLrnent_body.SOLICrTAI4TE .txt 
effi ee 
_ Jrjord 

Q C:\Decunnent3 and Setting3\u3uari 

R lanaaiBi^aBnM 

0 Find eppogite gide of gossion 



: 0 

0 •• Find Mere Does ^vith Sane hagh 
, a97d82d06aaa9017caeho5fe4bl2fl5c 

:bd01ba02b7cOS7a91bdf29c4 




\=\ 



dS0ea639baS99f9b9091 
acf45e5f466d6ed99e484dS77 
- Find email address 



7a k i m n I issa (^5 hntm a i I .rn m 




Or... You can one-click query to create a new query 



Search: Document Metadata 



Query Name: 



One-click search on documerl hash: f^c6353 



Justification: 



Additional Justification: 



Miranda Nunber: 



i_cii I y nay a . 

"^Comment'* [fyNte^]; 

File/Embedded Inage 

Hash [ fullteHt l: 



One-click search to tind more documerts witt 



f^c6353ebd01 ba02b7c087a31 bdf29c^ 
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Embedded Images 



stand-alone files can be uploaded into XKS 

and images parsed out 

■ Useful for TAO collection that didn’t get into XKS 
(non United Rake) 

j ritrD3://xk3-cBncrailxorD.ns£iJc,rjovyasrisraiJ/vievy file.Dho 







XKEYSC 




Vou can upload SOTF and D-124 files^ as well as just random files (.doc^ 'PPtj etc.) 
Upload Filel 



B rowse. 



Upload 



Employee List 




To task the hex values for images 
CADENCE or Query in PINWALE 
The Xtre me Targ et Pursuit Team ' 

S2I7 and 



in 

contact 






S3114 
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Embedded Images 



■ Questions on any of these tools or 
techniques, contact: 
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